Vermont and Nebraska: Diverging Experiments in State Age-Appropriate Design Codes
In May 2025, Nebraska and Vermont passed Age-Appropriate Design Code Acts (AADCs), continuing the bipartisan trend of states advancing protections for youth online. While these new bills arrived within the same week and share both a common name and general purpose, their scope, applicability, and substance take two very different approaches to a common goal: crafting a design code that can withstand First Amendment scrutiny.
Much like the divergence in “The Road Not Taken,” each state has taken its version of the path less traveled in crafting an AADC, informed by different assumptions about risks to minors online, risks of constitutional challenges, and enforcement priorities. As states grapple with legal challenges to earlier AADCs (California’s law remains blocked and a lawsuit was filed against Maryland’s law earlier this year) Nebraska and Vermont demonstrate how policymakers are experimenting with divergent frameworks in hopes of creating constitutionally sound models for youth online privacy and safety.
See our comparison chart for a full side-by-side comparison between the Nebraska Age-Appropriate Design Code Act (LB 504) and Vermont Age-Appropriate Design Code Act (S.69).
Two visions of scope
Each AADC’s scope turns on two key provisions – business thresholds tied to revenue and number of affected users, and an applicability standard based on either audience composition or “knowedge” of minor users on the service.
Business thresholds
Both the Nebraska and Vermont AADCs have narrower applicability than prior child online safety bills, though adopt different approaches to determining in-scope businesses.
Nebraska’s law applies only to businesses that derive more than half their revenue from selling or sharing personal data. This is an unusually high bar that could exclude many common services used by minors, including many platforms and services that are primarily supported by advertising revenue and subscriptions. Additionally, Nebraska includes a carveout for services that can demonstrate fewer than 2% of their users are minors. In contrast, the Vermont AADC likely has a broader applicability, but still only applies to businesses that derive a majority of their revenue from online services generally, regardless of how they monetize.
Applicability of when a service must apply minor protections
Another major divergence between the two AADCs lies in the circumstances under which covered businesses are deemed to know that a user is a child and required to provide heightened protections and controls.
Nebraska adopts an “actual knowledge” standard. However, the law defines “actual knowledge” as all information and inferences known to the covered business, including marketing data. Given that marketing segmentation can be as broad as “Gen Z,” covering anyone born from the late 90s to early 2010s, Nebraska’s law demonstrates an intent to construe actual knowledge broadly. Nevertheless, the law explicitly states that businesses are not required to collect age data to comply, which has been a hotly contested requirement under other state laws, as age verification requirements are historically not the least restrictive means of protecting children online and often impact the protected speech of adults.
Vermont takes a different path, triggering obligations when a service is “reasonably likely” to be accessed by minors, establishing a multifactor test that includes internal research and overall audience composition. Vermont’s approach is more akin to an audience assessment like COPPA’s “directed to children” standard for children under age 13. Though, from a practical standpoint, it’s likely that most websites online are reasonably likely to be accessed by at least some minors under the age of 18 who would be in scope of the Vermont AADC. Vermont’s Attorney General is also tasked with developing age assurance rules, including privacy-preserving techniques and guardrails; however, it is not clear whether the AG may seek to compel businesses to affirmative conduct age assurance through this rulemaking, and when questioned, the AG’s office said it was up to legislative intent.
In short, Nebraska seeks to explicitly avoid requiring age verification altogether, while Vermont seems to set the stage for proactive assessment and regulation on age estimation.
Designing around harm without regulating content
Vermont’s AADC contains a duty of care to protect minors in the design of online products but adds important disclaimers in a nod to First Amendment concerns that have plagued similar requirements in other state laws. Covered businesses must design services to avoid reasonably foreseeable emotional distress, compulsive use, or discrimination. However, the bill clarifies that the mere content that a minor views cannot, by itself, constitute harm. Nebraska, by contrast, does not create a duty of care.
To date, most Age-Appropriate Design Code bills have exclusively focused on tools and protections for covered minors. Nebraska breaks from this mold by requiring businesses to build tools for parents to help them monitor and limit their child’s use of online services. This section likely draws inspiration from the federal Kids Online Safety Act, which earlier versions of the Nebraska framework more closely resembled.
Both states require covered services to set strong default privacy settings, but Vermont takes a more granular approach. It explicitly prohibits providing users with a single “less protective” setting that would override others, explicitly limiting the use of all-in-one privacy toggles. Furthermore, a number of its default setting requirements only apply to social media platforms, a divergence from prior AADCs whose requirements have generally been agnostic to the type of online service. For example, Vermont prohibits allowing known adults to like, comment, or otherwise provide feedback on a covered minor’s media on social media. This would be allowed to the extent any non-social media platforms have this type of functionality. In contrast to Vermont’s default settings approach to safer design, Nebraska requires covered businesses to develop various tools for minors. In some instances, these tools overlap with the default settings called for in Vermont and are just a different statutory approach of arriving at the same goal, such as tools for restricting the collection of geolocation data or communicating with unknown adults. Other tools are unique and novel to Nebraska, such as a tool that allows a minor to “opt out of all unnecessary features.” Businesses in scope of both frameworks will need to do a close read to determine what new features, settings, and tools must be implemented.
Both frameworks omit requirements for businesses to complete data protection impact assessments, which emerged as one of the key issues with the California AADC, due to California’s requirement to assess and limit the exposure of children to “potentially” harmful content. While the Ninth Circuit did not hold that risk assessments are per se unconstitutional, and the primary issue in California lay with requiring companies to opine on content-based harms, both Nebraska and Vermont steer away from this issue altogether. Instead, Vermont’s framework would require businesses to issue detailed public transparency reports, including on their use of algorithmic recommendation systems, including disclosure of inputs and how they influence results.
When it comes to targeted advertising, Nebraska is explicit: it prohibits facilitating targeted ads to minors, while allowing exceptions for first-party and contextual advertising. Vermont is less direct, but forbids the use of personal data to prioritize media for viewing unless requested by the minor, which may effectively ban both personalized advertising and certain practices for organizing content based on user interests (though the framework’s algorithmic disclosure requirements suggests an intent that many such systems may remain in use).
Nebraska prohibits the use of so-called “dark patterns” outright – an unusually broad ban that goes beyond previous state privacy laws, which have focused on manipulative practices in obtaining consent or collecting personal information. Instead, Nebraska seeks to prohibit any user interface with the effect of subverting or impairing autonomy, decision-making, or choice. A strict reading of this provision could arguably impact a broad range of design choices including a video game that restricts access to certain areas until you defeat a boss, a button asking you if you’d like to continue, or the content of advertisements (though remember – the number of businesses subject to Nebraska appear incredibly narrow). In contrast, Vermont defers to future rulemaking, authorizing its Attorney General to define and prohibit manipulative design practices by 2027.
Effective dates and next steps
Governor Pillen signed the Nebraska AADC within days of its passage and the law is slated to go into effect on January 1, 2026. However, the Act gives companies some leeway, as the Attorney General is not able to bring actions to recover civil penalties until July 1, 2026. The Vermont AADC would establish a longer onramp for coming into compliance, with an effective date of January 1, 2027. Governor Scott is still considering the bill, though he vetoed a similar effort last year that was included as part of a broader comprehensive privacy package. Assuming the Vermont AADC is enacted, the Attorney General is expected to complete rulemaking on manipulative design practices and methods for conducting age estimation by the effective date.
Conclusion
With courts signaling that speech-based online safety rules are unlikely to survive First Amendment scrutiny, Nebraska and Vermont are two distinct experiments in how to try to achieve the goal of protecting children online in constitutionally resilient ways. NetChoice, the litigant challenging the California and Maryland AADCs, has already raised First Amendment concerns with both the Nebraska and Vermont frameworks.
Each legislature has taken its own “road less traveled” to children’s online safety. Nebraska has opted for a limited scope, feature-driven approach with no rulemaking and an emphasis on actual knowledge. Vermont has chosen a broader duty-of-care model, backed by a robust rulemaking directive and novel transparency requirements. Both paths attempt to avoid the pitfalls of California’s and Maryland’s laws, but take radically diverging routes in doing so. Which, if either, road “has made all the difference” will ultimately depend on courts, compliance practices, and the experience of minors navigating these services in the years to come.
